Facebook settles SEC complaint about data misuse disclosure
Facebook has agreed to pay $100 million to settle SEC allegations that it made misleading disclosures regarding the risk of misuse of users’ data.
According to the SEC, the social media company’s public disclosures for more than two years presented the risk of misuse of user data as simply hypothetical even though Facebook knew that a third-party developer had misused such data. Facebook has agreed to settle the action without admitting or denying the SEC’s allegations.
‘Public companies must accurately describe the material risks to their business,’ Stephanie Avakian, co-director of the SEC’s enforcement division, says in a statement, adding that companies also must have procedures in place to make accurate disclosures about material business risks.
Specifically, the SEC says the now-defunct advertising and data analytics company Cambridge Analytica in 2014 and 2015 paid an unnamed academic researcher to collect and transfer data from Facebook to create personality scores for roughly 30 million Americans.
The researcher, in violation of Facebook’s policies, also transferred to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays and ‘page likes,’ which the firm used in connection with its political advertising activities, according to the SEC.
The agency alleges that Facebook discovered the misuse of its users’ information in 2015 but did not correct its existing disclosure for more than two years.
According to the agency’s complaint, Facebook learned about the collaboration between the researcher and Cambridge Analytica when it investigated a report published in The Guardian in December 2015. ‘Within days of the press report, both the researcher and Cambridge Analytica privately confirmed to Facebook that the researcher had transferred personality profiles based on Facebook user data to Cambridge Analytica,’ the SEC alleges. ‘Facebook determined that the transfer violated its policy that prohibits developers, like the researcher, from selling or transferring its users’ data, and told the researcher and Cambridge Analytica to delete the data.’
Despite this, the SEC says Facebook continued to tell investors that ‘our users’ data may be improperly accessed, used or disclosed’ – rather than stating that this had happened. According to the complaint, Facebook underlined this false impression when it told reporters looking into Cambridge Analytica’s use of Facebook user data that it had discovered no evidence of wrongdoing. Facebook eventually disclosed the incident in March 2018.
The SEC also alleges that during this two-year period, Facebook had no specific policies or procedures to assess the results of its investigation for the purposes of making accurate disclosures in the company’s public filings.
It states in the complaint: ‘Facebook had no specific mechanism to summarize or report violations of its platform policy to employees responsible for ensuring the accuracy of Facebook’s filings with the commission. For example, the Facebook employees responsible for monitoring violations of the company’s platform policy were not provided with the draft disclosures pertaining to the misuse of user data.
‘As a result, Facebook senior management and relevant legal staff did not assess the scope, business impact, or legal implications of the researcher’s improper transfer of data to Cambridge, including whether or how it should have been disclosed in Facebook’s public filings or whether it rendered, or would render, any statements made by the company in its public filings misleading.’
Facebook says in a statement: ‘We share the SEC’s interest in ensuring that we are transparent with our investors about the material risks we face, and we have already updated our disclosures and controls in this area.’
At the time of announcing the incident, Facebook set out changes it planned to make to ‘prevent future abuse.’ Those included: investigating all apps that had access to large amounts of information before changes to the platform in 2014 to reduce data access; disclosing data misuse; restricting Facebook login data; and rewarding people who spot ‘vulnerabilities.’